If you were a 23andMe customer whose personal and genetic data was exposed in the company’s massive 2023 breach, the $30 million class action settlement offered three options: file a claim for cash compensation, opt out to preserve your right to sue independently, or object to the settlement terms before the court granted final approval. As of March 2026, all three deadlines have passed. The court granted final approval on January 20, 2026, the opt-out and objection deadlines expired on December 29, 2025, and the claim filing deadline closed on February 17, 2026. If you missed those windows, your only remaining option may be enrolling in the five-year monitoring benefit, which could still be available.
This settlement grew out of a breach that compromised the names, addresses, and genetic data of approximately 6.4 million U.S. residents — close to half of 23andMe’s customer base at the time. The situation became even more complicated when 23andMe filed for bankruptcy in March 2025, folding the litigation into Chapter 11 proceedings in the Eastern District of Missouri. For someone who received a breach notification but never got around to filing,
Table of Contents
- What Did the 23andMe Data Breach Settlement Offer Customers Who Filed Claims, Opted Out, or Objected?
- Who Qualified as a Settlement Class Member and What Were the Limitations?
- How 23andMe’s Bankruptcy Changed the Settlement Process
- Filing an Extraordinary Claim vs. Taking the Statutory Payment — Which Made More Sense?
- Common Problems With the 23andMe Settlement and What Claimants Should Watch For
- What Happens to Your Genetic Data After the Sale to TTAM Research Institute?
- The Broader Implications of the 23andMe Settlement for Genetic Data Privacy
- Frequently Asked Questions
What Did the 23andMe Data Breach Settlement Offer Customers Who Filed Claims, Opted Out, or Objected?
The settlement created a $30 million fund administered by Kroll, with payments divided into distinct tiers based on the type of harm a class member experienced. At the top end, customers who suffered documented out-of-pocket losses — such as costs from identity theft, fraudulent charges, or time spent resolving credit issues directly tied to the breach — could claim up to $10,000 in extraordinary damages. Those whose health or genetic information was specifically compromised could file for up to $165 under the Health Information Claims category. Residents of Alaska, California, Illinois, or Oregon were eligible for a Statutory Cash Claim estimated at roughly $100, reflecting state-specific data privacy laws that provide additional statutory damages.
Beyond the cash tiers, every eligible class member could enroll in five years of Privacy & Medical Shield plus Genetic Monitoring through Cyberscout, a package valued at approximately $1,875. For customers who opted out before the December 29, 2025, deadline, the tradeoff was clear: they preserved their right to file an independent lawsuit but forfeited any claim to the settlement fund. Those who objected had the opportunity to challenge the settlement terms in court before final approval, though the Bankruptcy Court approved the deal on January 20, 2026. In practical terms, someone who lost $3,000 to identity fraud after the breach had strong reason to file an extraordinary claim, while someone with no documented losses but a concern about long-term genetic data exposure might have found the monitoring benefit more valuable than the $100 statutory payment.
Who Qualified as a Settlement Class Member and What Were the Limitations?
Eligibility was defined by three criteria: you had to have been a 23andMe customer between May 1, 2023, and October 1, 2023, you had to have resided in the United States during that period, and you had to have received a data breach notification from the company. That last requirement is where some customers fell through the cracks. If 23andMe did not send you a notification — perhaps because your email address on file was outdated, or you had deleted your account before the notification went out — you may not have been considered part of the class, even if your data was among the 6.4 million records compromised.
However, if you did receive a first notice as late as January 5, 2026, the claim filing deadline was extended to March 1, 2026, rather than the standard February 17 cutoff. This exception acknowledged that some customers were notified later than others due to the complexities of the bankruptcy process and the transition of 23andMe’s assets. It is worth noting that the statutory cash claims of roughly $100 were limited to residents of just four states — Alaska, California, Illinois, and Oregon — meaning customers in the other 46 states had no statutory tier available to them. Those individuals could still file extraordinary claims if they had documented losses, or they could enroll in the monitoring services, but the baseline cash payment was not universally available.
How 23andMe’s Bankruptcy Changed the Settlement Process
The breach disclosure came on October 6, 2023, but the path to a settlement was anything but straightforward. 23andMe filed for Chapter 11 bankruptcy on March 23, 2025, in the Eastern District of Missouri, which meant the class action litigation was absorbed into bankruptcy proceedings rather than proceeding through the typical federal court system. This shift had real consequences for claimants. Bankruptcy courts balance the interests of all creditors — not just data breach victims — so the $30 million fund had to be negotiated alongside other claims against the company’s remaining assets. The Bankruptcy Court approved the sale of 23andMe’s assets to TTAM Research Institute, which was completed on July 14, 2025. After the sale, 23andMe Holding Co. and 23andMe, Inc.
Changed their names to Chrome Holding Co. and ChromeCo, Inc. For customers, this meant the company they originally did business with no longer existed in any recognizable form. U.S. Bankruptcy Judge Brian C. Walsh granted preliminary approval of the settlement on October 2, 2025, and final approval followed on January 20, 2026. The bankruptcy context is important because it meant the settlement amount was shaped not just by the strength of the class claims, but by the limited assets available after a company that was once valued at $6 billion had effectively collapsed.
Filing an Extraordinary Claim vs. Taking the Statutory Payment — Which Made More Sense?
For the small percentage of class members who had clear, documented financial losses from the breach, the extraordinary claims tier — up to $10,000 — was the obvious path. This required proof: bank statements showing fraudulent charges, receipts for credit monitoring services purchased before the settlement, records of time spent dealing with identity theft, or documentation of other direct expenses traceable to the compromised data. The burden of proof was on the claimant, and vague assertions of harm would not have met the standard.
For most class members, though, the realistic options were the statutory cash payment of roughly $100 (if they lived in one of the four qualifying states) or the monitoring package. Consider the math: five years of Privacy & Medical Shield plus Genetic Monitoring was valued at approximately $1,875. If you were genuinely concerned about long-term misuse of your genetic data — a type of information that cannot be changed like a password or credit card number — the monitoring benefit arguably delivered more value than a one-time $100 check. On the other hand, monitoring services have limited practical utility if your data has already been sold on the dark web, and there is no guarantee that the monitoring would catch every misuse of genetic information, which is still a relatively new category of identity risk.
Common Problems With the 23andMe Settlement and What Claimants Should Watch For
One of the most significant issues with this settlement was the compressed timeline created by the bankruptcy process. Preliminary approval came on October 2, 2025, and the opt-out and objection deadlines were just under three months later on December 29, 2025. For a breach affecting 6.4 million people, that was a tight window — particularly for customers who may not have been closely following the bankruptcy proceedings. Some class members reported not receiving notice until well after the preliminary approval, which is why the extended March 1, 2026, deadline was created for those who received first notice on January 5, 2026. Another concern involves the monitoring services.
While enrollment may still be open for eligible class members, the monitoring is provided by Cyberscout, and the quality and responsiveness of such services can vary. Genetic monitoring in particular is a relatively new offering, and there is no established track record for how effectively it detects misuse of DNA-related data. Claimants should also be aware that scam communications related to this settlement have circulated. Any legitimate correspondence about the 23andMe settlement comes through the official settlement website at 23andmedatasettlement.com or from Kroll, the settlement administrator. If you receive a call, text, or email asking for payment or sensitive personal information to “process your claim,” it is fraudulent.
What Happens to Your Genetic Data After the Sale to TTAM Research Institute?
The sale of 23andMe’s assets to TTAM Research Institute raised questions that the settlement itself did not fully resolve. When a company that holds your DNA data changes hands, the privacy policies you originally agreed to may not carry forward in the same form. The asset sale was completed on July 14, 2025, and the renamed entities — Chrome Holding Co.
And ChromeCo, Inc. — are distinct from the company customers originally trusted with their genetic samples. Customers who are concerned about ongoing data retention should check whether they can still request deletion of their genetic data from the successor entities, as the right to deletion may depend on both the original terms of service and applicable state privacy laws.
The Broader Implications of the 23andMe Settlement for Genetic Data Privacy
The 23andMe breach and its aftermath may represent a turning point in how genetic data is treated under U.S. law. Unlike a stolen credit card number, which can be reissued, or a compromised password, which can be changed, genetic data is permanent and uniquely identifying.
The fact that the settlement included a specific Health Information Claims tier and a genetic monitoring benefit signals that courts and settling parties recognize this data as categorically different from standard personal information. Going forward, this settlement could serve as a benchmark for future genetic data breach cases, particularly as more companies collect DNA samples for health, ancestry, and research purposes. Whether the $30 million fund was adequate for the scope of the breach — affecting roughly 6.4 million people — will likely be debated by privacy advocates for years.
Frequently Asked Questions
Can I still file a claim for cash compensation in the 23andMe settlement?
No. The claim filing deadline was February 17, 2026 (with an extended deadline of March 1, 2026, for those who received first notice on January 5, 2026). Both deadlines have now passed, and cash claims are closed.
Is the free monitoring benefit still available?
Enrollment in the five-year Privacy & Medical Shield plus Genetic Monitoring from Cyberscout may still be open. Check the official settlement website at 23andmedatasettlement.com for current enrollment status.
How much money will I receive from the settlement?
Payment amounts depend on the tier. Extraordinary claims allowed up to $10,000 with documentation of losses, Health Information Claims offered up to $165, and Statutory Cash Claims were estimated at roughly $100 for residents of Alaska, California, Illinois, or Oregon. Actual payment amounts may be adjusted based on the number of valid claims filed against the $30 million fund.
What happened to 23andMe after the settlement?
23andMe filed for bankruptcy on March 23, 2025. Its assets were sold to TTAM Research Institute on July 14, 2025, and the company was renamed to Chrome Holding Co. and ChromeCo, Inc.
I never received a breach notification. Am I still part of the settlement class?
Eligibility required that you received a data breach notification from 23andMe, were a customer between May 1, 2023, and October 1, 2023, and resided in the United States during that period. If you did not receive a notification, you may not be considered a class member, though you can check with the settlement administrator, Kroll, for clarification.
Can I still sue 23andMe independently?
Only if you submitted a valid opt-out request before the December 29, 2025, deadline. If you did not opt out, you are bound by the settlement terms and have released your claims against the company.